Use of biometrics in homeland security

"You have nothing to fear, if you have nothing to hide." This sentiment, a translation of the motto of the former East German secret police, the Stasi, was unintentionally echoed by Tom Ridge, the US Department of Homeland Security secretary, earlier this year when he said that legitimate travellers had "nothing to fear" from the introduction of new rules for entering the US.¹

Ridge’s statement - delivered at Atlanta’s international airport, the world’s busiest with 5 million passengers per year - was made to launch the US-Visit border entry procedures. Now, for the first time, the US can collect biometric data - the application of statistical analysis to identify a person by their physical or biological characteristics - on every visa-carrying visitor.

Eventually, all visitors to the US will be biometrically scanned, as even the 13 million visitors from the 27 visa-exempt countries, such as Japan, Australia and much of Europe, are being photographed and fingerprinted to provide biometric information. US passports from this year onwards are being issued with biometric information.

The US-Visit scheme uses inkless fingerprint and facial-scanning technology at all 115 US airports and 14 seaports to match travellers to the criminal watch lists maintained by federal law enforcement agencies. In the two-month trial conducted at Atlanta’s international airport before January 2004, 20,000 passengers underwent screening that helped to identify 21 individuals on the list, according to Ridge.

All biometric technologies work in two ways: identification of a person using biometrics against a database of many; and verification that the person is who they claim to be.

There are eight main biometric technologies, according to a US-based technology and service provider International Biometrics Group:

Biometrics becomes increasingly lucrative

Increasingly effective systems and massive government demand, such as the requirement for travellers from visa-waiver countries to have biometric passports², has led to a massive increase in technology sales.

International Biometrics Group estimates that sales for the eight main technologies would increase from US$719 million in 2003 to US$4.6 billion by 2008. The US alone anticipates that the cost of implementing biometric checks at borders would total up to US$2.9 billion initially and US$1.5 billion a year thereafter.³ Although all major countries will have to implement biometric passports, the cost will increase from £33 (US$58.90) per passport in 2003 to £77 by 2007.⁴

In the rush to market, attempts are being made to put in place coherent standards. The two main international biometrics associations, the Association for Biometrics and the International Biometrics Industry Association, are looking at these issues. The European Biometrics Forum of companies and the Biometrics Security Consortium of 30 Japanese companies also agreed earlier this year to develop a unified standard and equipment for security products based on biometrics technologies, rather than leave the initiative to the US.⁵ The US standardisation work in the Department of Defense is being carried out at the Biometrics Fusion Center in Bridgeport, West Virginia.⁶

Experts are certain that the technology is not 100% accurate by itself, with even the best equipment having a false rejection rate of 4%.⁷ Fingerprint-recognition technology has a false rejection rate of up to 30%. Furthermore, 4-5% of people do not have readable fingerprints due to age or dry hands, which would equate to 200,000 false results per year at Atlanta.

Iris scanning has near-zero false rejection and 1% false positive rates, but 100 cases have been identified in the UK alone of naturally duplicated iris and fingerprint identifiers.⁸

Facial scanning tests by the US government, the results of which were released in March 2003, found that none of the 10 companies’ products worked well either formally or surreptitiously, although three worked well in a controlled environment such as a passport photograph booth.⁹

Hand geometry, used as a person holds a swipe card, is more effective at verification, although still with only 95-96% accuracy. A further drawback is its inability to identify people since a person’s hands are not unique.¹⁰

Voice recognition and thermal imaging are even less reliable, while the US National Aeronautics and Space Administration (NASA) is working on non-invasive neurological scanning technology in an attempt to read people’s intentions.¹¹

Potential pitfalls of biometric databases

The inaccuracies are either false positives or false negatives - those people identified incorrectly or whom the technology failed to recognise despite being on the list. False positives create a ‘crying wolf’ scenario in which the human element in security services becomes inured to repeated warnings and ignores a real criminal match (or, alternatively, relies too much on the technological ‘magic bullet’ to catch the criminals and ignore other warnings).

In fact, even the extent to which the technology is accurate is less important than the human error involved or developing a clean and comprehensive database to match suspects.

To put this in place, governments are to force compliance with an existing system, such as a passport or ID card, augmented by a biometric information chip. Thailand, Singapore, Belgium, Australia, Oman and the United Arab Emirates are looking to introduce such technology.

Even then, the database and technology could fail in its purpose. The main purpose of US-Visit is to prevent terrorists from entering the country rather than catch other criminals, although this is a useful corollary. However, all 19 of the 11 September hijackers used valid visas and travelled on their own passports - they would not have been caught by the US-Visit technology. Even so, future terrorists travelling on false passports could be snared.

UK Home Secretary David Blunkett, whose department is conducting a 10,000-strong trial of a biometric ID card and is preparing to roll out a biometric passport from August, said he could not guarantee that an ID scheme would curb terrorism, reduce illegal economic migration or reduce fraud. Blunkett limited his comments to believing only that it would contribute to improved security and the effective policing of abuses.¹²

Biometric databases will take decades to fill. The UK ID card scheme could only conceivably become compulsory from 2013; the US Federal Bureau of Investigation has a database of 40 million identities out of a population of 270 million; and Canada’s police database has 4 million entries. Potential terrorists might not be included in these databases.

There are also issues of data protection and the need for different agencies to share information or in handling just one source. Thailand suffered a scandal in 2002 when the Anti-Money Laundering Office was revealed to have collected bank details of newspaper editors critical of the government of Prime Minister Thaksin Shinawatra.¹³

Macedonia is investigating the murder of illegal immigrants, allegedly framed by the government as terrorists planning to bomb the US embassy in an attempt to curry favour with the US in the war against terrorism.¹⁴ The US has itself faced allegations that the Florida authorities’ database of ex-convicts, who are barred from voting, was substantially inaccurate before the 2000 presidential election.

Andrew Clements, an information specialist at the University of Toronto, reflects many people’s fears: "I do not think this is about security, it’s about creating insecurity. It is like the orange and yellow alerts that keep Americans in a state of high anxiety. It’s about keeping the public fearful because then it’s more open to manipulation. And people go along with it because they see no alternative."¹⁵

"We have nothing to fear, but fear itself," US President Franklin D Roosevelt said in March 1933. Today we may be afraid of what fear leads us to do.

James Mawson previously served as an International Editor at Financial Times Business and continues to write for the Independent on Sunday business section and the Financial Times

1. "Legitimate travellers who fall into America’s open arms should know that they have nothing to fear in this new system." Tom Ridge’s speech was made at Atlanta Hartsfield-Jackson airport on 5 January 2004.

2. This requirement might be extended for two years due to practical difficulties in introducing the technology in the respective countries.

3 US General Accounting Office report, cited by a survey of biometrics carried out by the Economist, 5 December 2003.

4 Daily Telegraph, 4 May 2004.

5 Daily Yomiuri (Tokyo), 8 January 2004.

6 Newsbytes, 19 March 2004.

7 The Banker, 1 April 2004

8 British Computing Society to House of Commons Home Affairs Committee inquiry into ID cards, as reported by Computing, 18 March 2004.

9 Economist, op cit.

10 The International Institute of Information Technology, Hyderabad, under a project called the Large Environment Visualization Software Team, The Hindu, 18 March 2004.

11 Toronto Star, 24 January 2004

12 Daily Telegraph, 5 May 2004

13 The Nation (Thailand), 27 April 2004.

14 The Guardian, 8 May 2004

15 Toronto Star, op cit.